Sql injection

🗓️ 09 Jun 2023 06:16:00Reported by PRIOn knowledge baseType

The Active Directory Integration plugin for WordPress is vulnerable to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This allows authenticated attackers with administrator privileges to append additional SQL queries into existing queries, extracting sensitive information from the database

Reporter	Title	Published	Views	Family All 13
ATTACKERKB	CVE-2023-2484	9 Jun 202306:16	–	attackerkb
CNNVD	WordPress Plugin Active Directory Integration SQL注入漏洞	9 Jun 202300:00	–	cnnvd
CVE	CVE-2023-2484	9 Jun 202305:33	–	cve
Cvelist	CVE-2023-2484 Active Directory Integration / LDAP Integration <= 4.1.4 - Authenticated (Administrator+) SQL Injection	9 Jun 202305:33	–	cvelist
EUVD	EUVD-2023-33968	3 Oct 202520:07	–	euvd
NVD	CVE-2023-2484	9 Jun 202306:16	–	nvd
OSV	CVE-2023-2484	9 Jun 202306:16	–	osv
Patchstack	WordPress Active Directory Integration / LDAP Integration Plugin <= 4.1.4 is vulnerable to SQL Injection	15 May 202300:00	–	patchstack
Positive Technologies	PT-2023-19818 · WordPress · Active Directory Integration	9 Jun 202300:00	–	ptsecurity
RedhatCVE	CVE-2023-2484	23 May 202501:51	–	redhatcve

Source	Link
plugins	www.plugins.trac.wordpress.org/browser/ldap-login-for-intranet-sites/trunk/class-mo-ldap-user-auth-reports.php
plugins	www.plugins.trac.wordpress.org/changeset
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/3eedc57b-79cc-4569-b6d6-676a22aa1e06

15 Jun 2023 13:25Current

5.3Medium risk

Vulners AI Score5.3

EPSS0.00456